This series of articles will cover the foundations of a functional OT cybersecurity program.
An OT cybersecurity policy is the foundation of an OT cybersecurity program and will inform the areas and controls your organization focuses on to secure its OT environment. Creating an OT cybersecurity policy document needs to be one of the first steps toward creating a comprehensive OT cybersecurity program. In most organizations, the process of creating an OT cybersecurity policy will take the form of augmenting an existing IT or corporate cybersecurity policy. There might be cases where an organization decides to have a separate document.
The OT cybersecurity policy document defines:
- Scope of cybersecurity controls
- Organizational Assets to which controls apply
- Acceptable levels of risk to the organization
- Enforcement processes
- Compliance requirements,
- Assessment and audit requirements
- Roles of personnel
- Responsibilities to roles
- Training and awareness requirements for roles
The scope of controls should cover the major areas of concern for OT. Following an industry framework specific to OT cybersecurity will help in identifying these areas. Frameworks such as NIST 800-82 and ISA-62443 can be used to identify specific security controls, their applications, and the extent of their implementation required by the organization. Its important to note that these frameworks are for industrial control systems. They are developed to cover major areas but are not purpose-built for every type of OT. For example, not every control applies to smart building OT, such as building management systems or lighting control systems. Furthermore, certain industries may have specific cybersecurity frameworks to cater to regulatory requirements which would be more appropriate to use. Regardless, it is beneficial to use OT frameworks as a guide.
The extent to which security controls are implemented relates directly to the acceptable level of risk that an organization is willing to take on. Not every security vulnerability needs to be remediated or every design flaw fixed. Some risks will be acceptable, but an organization needs to set boundaries. Defined processes to enforce security controls and compliance requirements through routinely scheduled assessments or audits ensure the sustained implementation of these controls. All these need to be outlined in the OT cybersecurity policy.
As a principle, policies should address roles, not individuals. When defining roles and responsibilities, the organization needs to identify a role (or a team) that will champion OT cybersecurity initiatives across the organization. Policy content needs to be communicated across the organization, from the organization’s board members, executives and senior leadership to OT operations, and, eventually, vendors and service providers.
The value of a cybersecurity policy will be evident to senior leadership. However, it will take some convincing from the facility teams and operators. These folks are not accustomed to referring to a defined policy when dealing with day-to-day issues. They resolve these issues as and when they arise. They aim to keep the facility or process running, ensure the OT systems don’t break, and minimize tenant complaints. They improvise solutions on the fly when issues arise. The last thing they want is rigidity in how they go about solving issues and running operations. The challenge for the champion of the OT cyber policy is to convince them in a way that clarifies to them that the cybersecurity program and the associated policy are to aid them in their day-to-day work. It is there to provide them with a point of reference when they encounter issues. The policy and its compliance are NOT meant to audit them or dictate their daily routine. Instead, following the policy enables them to do what they do best – operate the facility and keep the process environment operational.
Vendors are well-known for making roadblocks when asked to adhere to a policy. They may cite several reasons, technical or otherwise, why adhering to the OT cybersecurity policy will hinder their work, compromise their systems, and increase their costs. When dealing with vendors, it is important to remember they are partners and that their systems will be in the building for a while. This point needs to be reinforced by getting them to adhere to the cybersecurity policy. With the rampant increase in cyber-attacks and threats, no vendor should question the importance of cybersecurity controls and adhere to a policy. However, if they object or persist in non-compliance, a tougher stance can be taken concerning their services and contracts. Asset owners and operations teams have more leverage in this situation than they would like to believe.
The next level under the policy should include the OT-specific security standards and baselines. The standards will stipulate the compulsory requirements and security controls needed for OT system cybersecurity. More cyber-mature organizations also prepare guide specifications for this purpose, which include the functional, operational, and security requirements of an OT system. This guide specification is then handed off to proponents in the event of procuring a new OT system or upgrading an existing one. The baseline is the minimum set of security controls or security levels for each OT system and is a more operationally focused form of a standard.
Over the next series of posts, we’ll cover more distinct focus areas for OT cybersecurity.
